FBI Finally Moves to Fix Its Text Retention Problem — and Mobile Phone Security
Back when DOJ IG released a report explaining its efforts to ensure it had reconstructed all of Peter Strzok and Lisa Page’s text messages, I pointed out that most people were missing the really important part of the story: FBI was making do with a vendor who — even after that scandal — still missed 10% of texts.
And in trying to invent an obstruction claim out of normal bureaucratic thriftiness, they are ignoring the really damning part of the IG Report. The government contractor whose “bug” was responsible for the text messages that weren’t originally archived (but which were later recovered) still can’t ensure more than 90% of FBI’s texts are recovered.
Among the other excuses FBI offers for implementing a fix to a 20% failure with one that still results in a 10% failure is to say, “complete collection of text messages is neither required nor necessary to meet the FBI’s legal preservation obligations” (which goes back to how they’re requiring retention via policy, but not technologically-assisted procedure). The FBI also says that it “is not aware of any solution that closes the collection gap entirely on its current mobile device platforms,” which makes me wonder why they keep buying new Samsungs if the Samsungs aren’t serving their needs? Aside from the question of why we’d ask FBI Agents to use less secure Korean phones rather than more secure American ones (note, Mueller’s team is using iPhones)?
This is a huge problem in discovery in criminal prosecutions. Just as an example, DOJ claims it didn’t have texts between the Agents who were officially staking MalwareTech out in Las Vegas before they arrested him in 2017 and … other Agents. But if FBI doesn’t actually competently archive those texts, how can they make that claim?
More troubling still, FBI didn’t have a handle on what privileges their unnamed and squirrely data retention vendor had onto FBI Agents’ phones.
As DOJ IG was trying to puzzle through why they couldn’t find all of Strzok and Page’s texts, the unnamed vendor got squirrelly when asked how the retention tool interacts with administrative privileges.
Upon OIG’s request, ESOC Information Technology Specialist [redacted] consulted with the FBl’s collection tool vendor, who informed the FBI that the collection application does not write to enterprise.db. [Redacted] further stated that ESOC’s mobile device team and the vendor believed enterprise.db is intended to track applications with administrative privileges and may have been collecting the logs from the collection tool or another source such as the Short Message Service (SMS) texting application. The collection tool vendor preferred not to share specific details regarding where it saves collected data, maintaining that such information was proprietary; however, [redacted] represented that he could revisit the issue with the vendor if deemed necessary.
Maybe it’s me, but I find it pretty sketchy that this unnamed collection tool vendor doesn’t want to tell the FBI precisely what they’re doing with all these FBI Agents’ texts. “Proprietary” doesn’t cut it, in my opinion.
DOJ IG has now done what I was hoping they would: use the Strzok-Page incident as an opportunity to identify recommendations to fix the problem more generally. Most alarmingly, it says that the Subject Matter Expert it consulted in this process identified security vulnerabilities in its collection process.
[D]uring the OIG’s forensic examination of FBI mobile devices that were used by the two employees, the OIG discovered a database on the mobile devices containing a plain text repository of a substantial number of text messages sent and received by those devices.
Neither ESOC nor the vendor of the application was aware of the existence, origin, or purpose of this database. OIG analysis of the text messages in the database compared to ESOC productions of text messages during the same time periods when the collection tool was functional identified a significant number of text messages found in the database that were missing from the ESOC production. Furthermore, the Subject Matter Expert with whom the OIG consulted in connection with its forensic analysis of the devices identified additional potential security vulnerabilities regarding the collection application. The OIG has provided these findings to the FBI.
Remember: these phones were used by people read into the most sensitive counterintelligence investigations. They weren’t texting a lot about those investigations on those phones, but they were texting unclassified information about the investigations.
So now, two years after these texts were identified, DOJ’s Inspector General is recommending that FBI fix what even I recognized was a security vulnerability — as well as the other, unnamed ones their SME identified.
Coordinate with the collection tool vendor to ensure that data collected by the tool and stored on the device is saved to a secure or encrypted location.
Verify and address the security vulnerabilities identified by the Subject Matter Expert with whom the OIG consulted, which have been provided to the FBI. Current and future mobile devices and data collection and preservation tools should be tested for security vulnerabilities in order to ensure the security of the devices and the safekeeping of the sensitive data therein.
Accused defendants should not have to guess whether or not the FBI Agents investigating them discussed their case via texts that have disappeared forever. And the country, generally, should not have to worry that the phone of its top counterintelligence Agent might be compromised because of a dodgy vendor FBI hired to collect (some of) his texts.
Sadly, DOJ IG doesn’t include another recommendation that seems like a no-brainer: that FBI switch to iPhones over the Samsungs they currently issue, both because iPhones have better security, but also because there is better visibility on the supply chain.
I don’t think the FBI likes Apple after so many fights about their encryption. I don’t either and have never spent one cent on an Apple product or file but that’s besides the point. I’m suggesting institutional aversion to Apple resulted in the non recommendation.
Got to love SME’s (smeees)! The Human Rain Delay of any project you hope to wrap up in a timely manner. As a pro-infosec guy, I was so pleased to see this post!
When the prior post came up, I was floored by the third-party vender being cagey (if they were selling that information) or negligent (if they were hoping to downplay the severity of their mistake). Neither filled me with confidence in them. Time to find a different contractor!
I suspect the FBI has a very strong “not invented here” attitude. It appears FBI Purchasing didn’t have or know who to include in specing the RFP nor evaluating proposals. If you don’t know what you don’t know this will occur over and over.
The issue with Android vs iOS remains the ability to run root-level code to handle the retention and prevent users overriding it. (Mueller’s team operates under less strict retention standards than the FBI agents who were issued Samsungs.)
iOS mobile device management has become a lot more sophisticated over the past decade, but it’s still focused on device security and workplace compliance — no camera/mic access, app and website filters, remote lock and wipe, etc. — than on preserving communications.
Those root-level vendor hacks for Android are janky as fuck, often mess about with private APIs — another thing a vendor wouldn’t want to admit — and are therefore likely to break with OS updates. They’re essentially hacking the OS, which is why it’s a misguided use of money and a security risk, though I think the vendor nefariousness is from selling hacky tools for $$$$$ than anything more sinister. (Oh, enterprise software.)
The best practice for group messaging with central retention/archiving on iOS is to force it through a custom app while locking out other apps, but that obviously creates compatibility issues with typical IM / SMS protocols, which in turn may encourage users to communicate through non-work devices instead.
I think this is a pretty succinct summary of the issues at hand. It seems to me like the only way that the US government could genuinely solve all the issues (including the supply chain one MW outlines above) would be to commission the production of a device (and an Android flavor, AND an application layer) that is purpose-built for classified use. That would undoubtedly be the proverbial “$400 hammer” from a procurement standpoint but nobody’s going to find an OTS product that does the trick.
Doesn’t the cell phone provider archive texts? I thought the Patriot act did that.
I’m waiting for the day we learn that Amazon Web Services’ massive $$$$$ classified cloud has been compromised by a rootkit vulnerability that everyone should have predicted but no one bothered to look for.
Don’t forget that October 4th report by Bloomberg of tiny chips in motherboards which the Big Tech community denied. The report is still up and there’s been no lawsuit filed by any FAANG company.
Oh, as I said in the last thread on this topic, if the FBI wants to implement root-level retention in Android, it needs to fork and maintain the codebase entirely in-house. Don’t outsource core competencies.
From the Blog of Donald Watkins (Alabama businessman who’s on trial this week) in 2016—Check out the references to Rogue FBI Agent Keith Baker and his email shenanigans :
Local FBI agent Keith Baker was one of the case agents who worked on the Siegelman-Scrushy bribery case. Baker later became the lead FBI case agent in the 2010 federal bribery case against VictoryLand owner Milton McGregor, Dothan casino developer Ronnie Gilley, several state legislators, and two lobbyists. McGregor and Gilley were accused of bribing the defendant legislators. What the public and defendants did not know at the time was this: Baker, who was married, was having a secret extramarital affair with Mallory Johnson, a married federal court reporter who recorded and transcribed secret grand jury testimony in this case. Mallory leaked this testimony to Baker, who appears to have given this evidence to then-Governor Bob Riley, a longtime political foe of McGregor.
When this matter was brought to the attention of trial judge Myron Thompson, he conducted a closed hearing to get to the bottom of this matter. Baker and Johnson confirmed their secret love affair and the grand jury leaks. Text messages between the two lovers seemed to bring Riley* directly into the mix. (*Governor Rob Riley, political opponent of former Alabama Governor Don Siegelman)
That was not the only surprise awaiting Judge Thompson:When Baker received a defense request for 8,000 text messages on his phone during the time period of his investigation, they went missing. A check on the FBI servers revealed the copies of the text messages were also missing for that period of time. No other text messages on the server were missing.
Thompson also learned that Baker had a secret inappropriate relationship with an unnamed “female courtroom deputy” during Siegelman’s trial. Fuller only had one such deputy – the woman he married. An upset Judge Thompson thereafter banned Baker from his courtroom during the trial proceedings.